Hackers blew up the defenses of iOS 15, Windows 10 and Google Chrome during the TianFu Cup, an annual hacking competition held in China in Sichuan province. According to the statements of some manufacturers, some zero-day flaws exploited during this tournament have been or will be corrected soon.
We talked about it in our columns a few days ago, Chinese hackers managed to hack an iPhone 13 in just 15 seconds. This feat was achieved during the TianFu Cup (October 16-17), a hacking competition held annually in Sichuan Province, China. This event is essential as the unmissable event for the elite of the Middle Empire hackers, especially since they have ban from participating in similar tournaments outside the borders of their country.
The Chinese hacker elite has wreaked havoc
However and as reported by our colleagues from the Forbes site, the participants of the TianFu Cup are doing hard for this edition by bringing down the defenses of iOS 15.0.2, but also of a multitude of popular services and products. Thus, the hackers succeeded in exploiting five security flaws spotted in Windows 10, including one impacting Microsoft Exchange. As for Google Chrome, the hackers used two vulnerabilities to take down the browser.
And again, the list of victims does not end there: Adobe PDF, Asus AX56U router, Docker CE, Parallels VM, QEMA VM, Ubuntu 20, VMware ESXi and Workstation have also been hacked with flying colors. As you can doubt, details regarding the vulnerabilities exploited and their effects will only be known in the coming months.
Indeed, the participants in this kind of competition generally engage in “responsible disclosure”. In other words, they promise not to provide details of exploited flaws until manufacturers have had time to release a patch. However, the TianFu Cup has a somewhat special status. Indeed, China enacted a new law on September 1, 2021 which requires all Chinese citizens to disclose to the government any zero-day flaws found.
A worrying competition on a specific point
For Kristina Balaam, chief IT security engineer at Lookout, this measure is worrying in the sense that it means that “the Chinese government could store a significant number of zero-day vulnerabilities against products widely used in other regions and gain access to the knowledge necessary to exploit these products before they are successfully patched“.
However, for Jack Williams, co-founder of the computer security company BreachQuest, don’t worry more than that about the TianFu Cup. As he specifies, participants have every interest in keeping the vulnerabilities they detect secret and then exploiting them in competitions. The reason ? It is much more profitable to reveal these flaws in competition and win prizes than revealing them to builders (via bug-hunting programs) or authorities. For example, the Team Pangu pirates pocketed $ 300,000 at TianFu Cup to jailbreak an iPhone 13 under iOS 15.2.
Regarding the manufacturers affected by the flaws exploited during the competition, Microsoft assured that “solutions to verified security issues that meet our criteria for immediate support are normally released as part of the Tuesday patches ”. As for Google, the company has just corrected two zero-day security flaws in Google Chrome 95. Everything suggests that these are the two vulnerabilities exploited during the competition.